Week 11: More on risk assessment

Question 1

What is risk is closely related with?

Answer 1

uncertainty

Question 1

How to define value and capture indicators to measure and manage risk?

Answer 1

-Outcomes that have an impact on what humans value
– Possibility of occurrence (uncertainty)
– Formula to combine both elements

Question 2

What is Risk assessment?

Answer 2

is the process of collating observations and perceptions of the world that can be justified by logical reasoning or comparisons with actual outcomes

Question 3

What is Risk management?

Answer 3

is the process of developing and evaluating options to address the risks in a way agreeable

Question 4

What is Risk governance?

Answer 4

the overarching set of ongoing processes and principles that aim to ensure awareness, education, responsibility and accountability to all involved in managing it

Question 5

What are the three possible decisions following risk management

Answer 5

Intolerable
tolerable
acceptable

Question 6

What is tolerable?

Answer 6

risks have been reduced with methods to be as low as possible

Question 7

What is intolerable?

Answer 7

The aspect of the system at risk needs to be replaced or abandoned vulnerabilities needs to be reduced

Question 8

What is acceptable?

Answer 8

risk reduction is not necessary (no intervention needed). Risk can also be used to pursue opportunities (a.k.a. ‘upside risk’), so the outcome may be to embrace it rather than reduce it.

Question 9

What are the 4 types of risks?

Answer 9

Routine risks
Complex risks
Uncertain risks
Ambiguous risks

Question 10

What are Routine risks?

Answer 10

These follow a fairly normal decision-making process for management. Statistics and relevant data are provided, desirable outcomes and limits of acceptability are defined, and risk reduction measures are implemented and enforced. Renn gives examples of car accidents and safety devices.

Question 11

What are complex risks

Answer 11

where risks are less clear cut, more evidence needed

drug treatment effects or climate change are examples of this.

Question 12

What are Uncertain risks?

Answer 12

where a lack of predictability exists, factors such as reversibility, persistence and ubiquity

negative side effects can be contained and rolled-back. Resilience to uncertain outcomes is key here.

Question 13

Ambiguous risks

Answer 13

where stakeholders interpret risk differently, risk

address the causes for the differing views.
For example, in genetically modified foods where wellbeing concerns conflict with sustainability options.

Question 14

Why is a risk assessment needed?

Answer 14

To prioritise treatment, effort and strategy
To measure expected benefits resulting from the treatment against the risk impact

Question 15

What are the two methods of risks being assessed?

Answer 15

Qualitatively
Quantitatively

Question 16

How can risks be assessed Quantitatively?

Answer 16

Risk matrices, ALEs and ABLEs

Question 17

How can risks be assessed Qualitatively?

Answer 17

risk control self-assessment (RCSA), scorecards and key risk indicators (KRIs)
Largely based on human judgment, experience and intuition

Question 18

What the three types of management options?

Answer 18

a risk-based management approach
a resilience-based approach
a discourse-based approach

Question 19

What is a a discourse-based approach?

Answer 19

(including risk communication and conflict resolution to deal with ambiguities).

Question 20

What is a resilence-based approach

Answer 20

(where it is accepted that risk will likely remain but needs to be contained, e.g. using ALARA/ALARP principles)

Question 21

What is a risk-based management approach

Answer 21

(risk-benefit analysis or comparative options)

Question 22

What are types of risk management

Answer 22

Risk avoidance
Risk transference
Risk acceptance
Risk mitigation
Risk deterrence

Question 23

How can A risk value can be calculated?

Answer 23

Risk value = f(likelihood, impact, value)
e.g. Risk value = likelihood x impact x value

Question 24

What is ALE?

Answer 24

Annualized Loss Expectancy (ALE)

Question 25

how is ALE worked out?

Answer 25

Annualized Rate of Occurrence (ARO): This is a number representing the frequency of an attack occurrence in 1 year
x
Single Loss Expectancy (SLE): A monetary value value that describes how much an incident resulting from the attack on an asset will cost the enterprise

Question 26

list pros of ALE

Answer 26

tangible measure of risk based on monetary values

Question 27

cons of ALE

Answer 27

ALE is very difficult to precisely estimate in a real world scenario
This is often dependent on historical values for both AROs and SLEs

Question 28

cons of ALE

Answer 28

ALE is very difficult to precisely estimate in a real world scenario
This is often dependent on historical values for both AROs and SLEs